This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.
Working with Properties of User Stores
The following table provides descriptions of the key properties you use to configure primary user stores.
Property name | Description |
|---|---|
MaxUserNameListLength | Controls the number of users listed in the user store of a WSO2 product. This is useful when you have a large number of users and don't want to list them all. Setting this property to 0 displays all users. |
ConnectionURL | Connection URL to the user store server. In the case of default LDAP in Carbon, the port is specified in the |
ConnectionName | The username used to connect to the database and perform various operations. This user does not have to be an administrator in the user store or have an administrator role in the WSO2 product that you are using, but this user MUST have permissions to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN ( |
ConnectionPassword | Password for the ConnectionName user. |
DisplayNameAttribute | This is an optional property. The Display Name Attribute is the name by which users will be listed when you search for users in the management console (Go to Configuration -> Users tab). |
PasswordHashMethod | Password hash method to use when storing user entries in the user store. |
UserNameListFilter | Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console. |
UserEntryObjectClass | Object class used to construct user entries. By default, it is a custom object class defined with the name wso2Person. |
UserSearchBase | DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory. Different databases have different search bases. |
UserNameSearchFilter | Filtering criteria used to search for a particular user entry. |
UserNameAttribute | The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc. The name of the attribute is considered as the username. For information on using email address to authenticate users, click here. |
UsernameWithEmailJavaScriptRegEx | This property defines the JavaScript regular expression pattern when the <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property>
|
| Policy that defines the password format. |
UsernameJavaScriptRegEx | The regular expression used by the front-end components for username validation. |
UsernameJavaRegEx | A regular expression to validate usernames. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. You can provide ranges of alphabets, numbers and also ranges of ASCII values in the RegEx properties. <Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|/]{3,30}$</Property>
|
RolenameJavaScriptRegEx | The regular expression used by the front-end components for role name validation. |
RolenameJavaRegEx | A regular expression used to validate role names. By default, strings have a length of 5 to 30. Only non-empty characters are allowed. <Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|/]{3,30}$</Property>
|
| (JDBC) This property can be set to 'false' for case insensitive JDBC user stores for performance improvements. <Property name="CaseInsensitiveUsername">false</Property> |
ReadGroups | Specifies whether groups should be read from the user store. If this is disabled by setting it to false, none of the groups in the user store can be read, and the following group configurations are NOT mandatory: GroupSearchBase, GroupNameListFilter, or GroupNameAttribute. |
Referral | Guides the request to a domain controller in the correct domain |
WriteGroups | Specifies whether groups should be written to user store. |
EmptyRolesAllowed | Specifies whether the underlying user store allows empty groups to be created. In the case of LDAP in Carbon, the schema is modified such that empty groups are allowed to be created. Usually LDAP servers do not allow you to create empty groups. |
GroupSearchBase | DN of the context under which user entries are stored in the user store. |
GroupSearchFilter | The query used to search for groups. |
GroupNameListFilter | Filtering criteria for listing all the group entries in the user store. Groups are created in LDAP using the "groupOfName" class. The group search operation only returns objects created from this class. |
GroupEntryObjectClass | Object class used to construct group entries. |
GroupNameSearchFilter | Filtering criteria used to search for a particular group entry. |
GroupNameAttribute | Attribute used for uniquely identifying a user entry. This attribute is to be treated as the group name. |
MembershipAttribute | Attribute used to define members of groups. |
MembershipAttributeRange | Attribute used by Active Directories where they need limit membership attributes. The default value for this is 1500. |
UserRolesCacheEnabled | This is to indicate whether to cache the role list of a user. By default this is set to true. Set it to false if the user roles are changed by external means and those changes should be instantly reflected in the Carbon instance. |
UserDNPattern | (LDAP) The patten for the user's DN, which can be defined to improve the search. When there are many user entries in the LDAP user store, defining a UserDNPattern provides more impact on performances as the LDAP does not have to travel through the entire tree to find users. |
ReplaceEscapeCharactersAtUserLogin | (LDAP) If the user name has special characters it replaces it to validate the user logging in. Only "\" and "\\" are identified as escape characters. |
TenantManager | Includes the location of the tenant manager. |
| (LDAP and JDBC) Indicates whether the user store of this realm operates in the user read only mode or not. |
| (JDBC) Indicates whether the user's email is used as their username (apply when realm operates in read-only mode). |
| (JDBC) Can be either default or custom (this applies when the realm operates in read only mode). |
| (JDBC) Digesting algorithm of the password. Has values such as, PLAIN_TEXT, SHA etc. |
| (JDBC) Indicates whether to salt the password. Tip: Make sure you secure the password with salt and key. |
| (JDBC) An attribute used for multi-tenancy. |
| (LDAP and JDBC) A regular expression to validate passwords. By default, strings having a length between 5 to 30 with non-empty characters are allowed. |
| The regular expression used by the front-end components for password validation. |
| A regular expression to validate usernames. By default, strings having a length 5 to 30 between with non-empty characters are allowed. |
UsernameJavaScriptRegEx | The regular expression used by the front-end components for username validation. |
| A regular expression to validate role names. By default, strings having a length between 5 to 30 with non-empty characters are allowed. |
| The regular expression used by the front-end components for rolename validation. |
MultiTenantRealmConfigBuilder | Tenant Manager specific realm config parameter. Can be used to build different types of realms for the tenant. |
SharedGroupEnabled | This property is used to enable/disable the shared role functionality. |
SharedGroupSearchBase | Shared roles are created for other tenants to access under the mentioned DN. |
SharedTenantObjectClass | Object class for the shared groups created. |
SharedTenantNameAttribute | Name attribute for the shared group. |
SharedTenantNameListFilter | This is currently not used. |
| If the connection to an LDAP is inactive for the length of time (in milliseconds) specified by this property, the connection will be terminated. |